How I get 7 open redirect and 7 XSS in public program!

16 hours ago 6

BOOK THIS SPACE FOR AD

ARTICLE AD

Intro:

In this article I would explain how I get open redirect and XSS issues in public bug bounty program on bugcrowd

Details:

For recon part, I used shodan to get more subdomains as the scope is
*.example.com
the query I used is:

hostname:"example.com"

the result of the search get me some subs one of them for example
`common.example.com`
after open this subdomain it gets a white page with no content

I think it is Fuzzing time so I used FFUF to get any files or directories

ffuf -u "https://common.example.com/FUZZ" -w spider.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

but I’m blocked and unable to fuzz.
from shodan I searched to IPs for that domain name.
the query I used is:

hostname:"common.example.com"

and I found a lot of IPs
Now, trying to fuzz on it may not be blocked at that time.

ffuf -u "https://111.222.333.444/FUZZ" -w spider.txt -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

After about a day of fuzzing, I have some results but one only with status code 200
I accessed this endpoint and found a login page with this error
https://common.exaple.com/endpoint

so I added return param to see what happen

https://common.exaple.com/endpoint?return=

the error disappeared and I can enter email to login

from the param name (return) it is appeared that the pram is a redirect param so I tested open redirect
https://common.exaple.com/endpoint?return=https://evil.com

and entered any value in email like `spider@gmail.com` after clicking next I got this error

I think this error because this email is not registered in the portal, so what about `admin@example.com`?

After clicking ‘next’, I was surprised to be redirected to evil.com.

Escalation time:

first thing came to my mind is trying XSS
so I tried javascript:alert(); but it didn’t work.

after many payloads and tries, it just need // after the payload to comment the remaining code and remove errors :)

like `https://common.exaple.com/endpoint?return=javascript:alert(“spider”);//`

Finally, it works

I reported it and it was triaged the next day.

Looking for the same bug in other subdomains:

I decided to search for the same endpoint in other subdomains,
so, I gathered all possible subdomains

tools used for gathering

subfinder -d example.com -all > subfinder.txt
assetfinder -subs-only example.com > assetfinder.txt
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > crtsh.txt
cat *.txt | sort -u > all_subs.txt

now I have almost all subs in file named `all_subs.txt`

cat all_subs.txt | grep -i "common"

I used this command to get all subs with the word `common`
this command get me 6 different subdomains

eu-random.common.example.com
ap-random.common.example.com
us-random.common.example.com
eu-random.gcp.common.example.com
ap-random.gcp.common.example.com
us-random.gcp.common.example.com

I opened all of them in the browser and all of them is vulnerable to open redirect and XSS

I reported them and the bugcrowd triage changed the report status to triaged but after some days I get this message from internal security team

this means only one issue accepted :(

Read Entire Article